Third Party Risk Governance in a Diverse Environment Iman Joshua CISO, Healthagen

How are most organizations handling Third Party Risk? The methods that we use to evaluate Third Party Risk are generally inadequate and do not provide a holistic view of that party or their relevant risk. What do we normally do? Questionnaires Onsite Visit 3rd Party Audit How can we design this process better?

An holistic approach to managing third party risk Classify Business Risk Data Classification Impact Categorize Vendors Engagement Capabilities Evaluation Tools Remediation Tracking

Categorizing Vendors

Third Party Risk Governance Program BUSINESS FORMS THIRD PARTY UNIVERSE THIRD PARTY GOVERNANCE eGRC TRACKING TOOL LAW FIRMS CATEGORY RISK GRID Encryption & Authentication Security Performance

How did we get here? Define required controls that all departments must follow Create an inventory of Third parties Procurement Business Contract reviews, submitted RFPs Educate Educate Educate! Vendor Conferences Employee training Create a “gate” in procurement and legal Identify a central searchable repository Determine which tools are going to be used for evaluation BSIMM VAST/Veracode Prevalent – Security Questionnaires Third Party Assessments – SIG, AUP, SOC, etc Security Scorecard

Centralized Portal for Tracking via Archer

Third Party Governance Controls Several controls added to the Third Party Governance Process specifically address cyber security risks: CONTROL DETAIL TYPE Standardized Information Gathering Tool(SIG) Questionnaire Full SIG for Hosting Third Parties 2015 Agreed Upon Procedures (AUP) 90+ Controls Reviewed by Third Party Controls Assessment Vendor Building Security In Maturity Model (vBSIMM) Software Security Maturity Assessment Performed by Assessor Conducted by Third Party and Shared with Assessor Code Scan Vulnerability Scan Controls Obtained Through Network Scanning of Internet Facing Endpoint Security Performance Controls Assessment Copyright 2015 Aetna Inc.

Standardized Information Gathering (SIG) ASSESSOR & THIRD PARTY EMAIL COMPLETED SIG SIG ASSESSMENT EXCHANGE PROVIDE THIRD PARTY OPPORTUNITY TO ANSWERS FOLLOW UP VIA EMAIL PRIOR TO MEETING SIG and SIG Hybrid areas: SIG Management Tool: Runs mismatch of Third Party SIG and Master SIG FINAL ACTION ITEM & SCORING • Compilation of questions to determine how IT and Data Security risks are managed across a broad spectrum of risk control areas Full SIG – over 1,500 questions • 95.0% Control Accomplishments “I like the fact that Company X is working to help the industry remove the need to complete assessments by providing the opportunity to complete one SIG and use it for additional engagements -” stated by multiple Third Parties eGRC TRACKING TOOL Awareness of Third Party IT and Data Security vulnerabilities SIG Master is compared to the Third Party SIG for vulnerabilities to be remediated Remediation action items for vulnerabilities tracked to completion and re-assessed for sign off / accountability REMEDIATION ACTION ITEMS STORED IN TRACKING TOOL & DOCUMENTED IN CONTRACTS Copyright 2015 Aetna Inc.

AUP vs SOC2 Determine a single control standard Determine if supplemental documentation will be accepted Engage a Third Party as a preferred Third Party Understand the difference between the AUP and the multiple types of SOC(s) Copyright 2015 Aetna Inc.

Vendor Building Security In Maturity Model (vBSIMM) ASSESSOR & THIRD PARTY COMPLETED vBSIMM ASSESSMENT REVIEW MTG PROVIDE TRAINING FINAL ACTION ITEM & SCORING vBSIMM PROCESS AREAS: ASSESSMENT & INITIAL SCORING SYSTEM: Architecture Analysis Code Review Security Testing Penetration Testing Configuration Management – Incident Response / Vulnerability Management Top Total Score = 15 points Top Total Score for each area = 3 points 0 = Not Implemented 1 = Low Maturity 2 = Medium Maturity 3 = High Mature Control Accomplishments Awareness of Third Party software development vulnerabilities Training provided to Third Party to improve maturity “Thank you for taking the time to teach us the process and the areas where our software development can be improved-” Third Party Remediation action items for vulnerabilities tracked to completion and re-assessed for sign off / accountability 90.0% eGRC TRACKING TOOL REMEDIATION ACTION ITEMS STORED IN TRACKING TOOL & DOCUMENTED IN CONTRACTS Copyright 2015 Aetna Inc.

Application Security and Third Party Risk Management What is vBSIMM? Simply put, vBSIMM is an assessment process that provides visibility into the maturity of a Third Party’s ability to deliver secure software by evaluating: Architecture Analysis Code Review Config / Vuln Mgmt vBSIMM Security Testing Penetration Testing vBSIMM Practices (1) Architecture Analysis Activity Third Party performs security design / architecture / feature review (threat models). Code Review Activity Third Party uses automated tools and/or manual review. Security Testing Activity Third Party ensures QA supports edge/boundary value condition testing. Penetration Testing Activity Third Party uses penetration testers to identify security vulnerabilities. Configuration Management - Incident Response / Vulnerability Management Third Party uses vulnerability/ incident data to modify security practices (prevention). Copyright 2015 Aetna Inc.

Security Alert & Performance Tool The intent is to provide awareness to vulnerabilities and help uplift Third Party's’ security posture to the maturity of your company. Copyright 2015 Aetna Inc.

How do we continue to educate others? Annual Vendor Conference Vendor Portal AV-ISAC

F. Iman Joshua ijoshua@aetna.com Thank you! Questions? F. Iman Joshua ijoshua@aetna.com